search

owncloud / android

:phone: The ownCloud Android App
GNU General Public License v2.0
3.77k stars 3.05k forks source link

[FEATURE REQUEST] [OIDC] Branding option to remove `login_hint` and `user` parameter from re-login URL #4291

Closed JuancaG05 closed 5 months ago

JuancaG05 commented 5 months ago

Related Issues

App: https://github.com/owncloud/android/issues/4288

QA

https://github.com/owncloud/android/pull/4291#issuecomment-1907946457

jesmrec commented 5 months ago

QA Checks over authorize request in login and re-login processes

Branding parameter

send_login_hint_and_user = true

send_login_hint_and_user = false

MDM parameter

send_login_hint_and_user = true

send_login_hint_and_user = false

jesmrec commented 5 months ago

One consideration:

I noticed this is affecting the legacy webfinger flow somehow: if send_login_hint_and_user is true, the username is propagated from the login view to the idP. If if send_login_hint_and_user is false, it is not. Since the feature and the new parameter should only affect the re-login process as defined, this might need a look.

jesmrec commented 5 months ago

I also noticed that scope and prompt are sent empty to OAuth2, because they are OIDC parameters. This is not in the scope of this PR, i will check and open issue in order to discuss whether that behaviour could be improved.

jesmrec commented 5 months ago

I noticed this is affecting the legacy webfinger flow somehow: if send_login_hint_and_user is true, the username is propagated from the login view to the idP. If if send_login_hint_and_user is false, it is not. Since the feature and the new parameter should only affect the re-login process as defined, this might need a look.

this is the expected behaviour since the login and relogin calls are the same. We can not prevent the side-effect is attached to the branding decision regarding the send_login_hint_and_user parameter.

jesmrec commented 5 months ago

Let's move this forward